We peer with our ISP over dual Internet Circuits. Our Anyconnect infrastructure is a pair of ASA's with a Load Balance address. Pretty standard.
Currently we are advertise the public addresses for the Anyconnect infrastructure out of both our uplinks to our ISP via BGP with 1 link being preferred over the other (AS Prepend/Local Pref) style. So effectively one link is the backup.
Now my question is if we manipulated BGP so that the outside Anyconnect GW1 IP preferred one link and the Anyconnect GW-2 IP the other link with the LB address down the Primary. Presumably the clients would hit the LB address then connect down either the A or B uplinks to the physical addresses? Would that work or completely break it?
It's gonna work perfectly; to avoid potential problems in the "redirect" phase, ensure that if there are any other layer 3 devices between your ASA pair and your ISP, those devices don't have any sort of stateful firewalls configured.
If it doesn't work, post here the issues you ran into, cause it has to work.
Usually no news means good news in security, but how do you know what is working, what could be better and where you should invest? Introducing the Cisco Security Outcomes Study.
We commissioned an independent survey of 4,800 active security a...
Cisco is happy to announce their Fall release, FTD 6.7/ASA 9.15.1/FXOS 2.9, which consists of 104 features across 24 initiatives, addressing technical debt while staying true to our five core investment areas: Ease of Use and Deployment, Unified Policy an...
Hi Team, I have one exclusion provided by internal team which is Is it right way to exclude ? *\Program Files\XYZ\* , as per Cisco Docs i see its not recommended because it will create performance issue when we use * at starting , So...
Central Log Management using Cisco Security Analytics and Logging, December 2nd at 8am-9:30am PT
Cisco Security Analytics and Logging is Cisco’s Central Log Management solution for Network Operations and Security Outcomes. It is delivered both as a c...